The new Payment Services Directive (
) retains the same basic structure as the original Payment Services Directive (PSD1).
is divided into six titles, each of which focuses on a different subject-matter. Accordingly, title I covers scope and definitions, title II deals with the authorisation and regulation of payment service providers (
), title III focuses on transparency, title IV establishes the respective rights and obligations of payment service users (
) and
and titles V and VI set out provisions on delegated acts and implementation. In addition, the different categories of payment service are set out in the Annex.

Despite retaining the same basic structure, the reach of
is broader than its predecessor. This is because of the expansion of the territorial scope provisions and the simultaneous narrowing down of the exemptions (commonly known as the ‘negative scope provisions’).

Territorial scope

Most provisions of title III and title IV of
will now apply to a broader range of payment transactions. Specifically, transactions in non-European currencies where both the payer's and the payee's
(or the sole
in the transaction) are located in the European Union (
) will be caught, as will ’one leg out’ payment transactions in all currencies (i.e. where only one
is located in the
). ‘One leg out’ transactions were outside the scope of PSD1, but
now brings them in scope "in respect of those parts of the payment transaction which are carried out in the Union". This wording operates as a limit to the reach of
and seeks to offer some comfort to
who would not be able to fulfil their obligations in respect of transactions (or components thereof) taking place outside of the
over which they have no control (e.g, because these are subject to foreign systems and rules).
will need to carry out an impact analysis and assess which parts of each transaction qualify as having been "carried out in the Union"; in the absence of guidance as to the precise meaning of this wording, this may not be a straightforward exercise.

Negative scope

amends some of the exemptions established under PSD1. Changes to the "commercial agent" exemption attempt to address the divergent interpretations taken by some
Member States, making clear that the exemption applies when agents act only on behalf of the payer or payee (not both). Where agents act on behalf of both parties (e.g. in respect of e-commerce platforms) the exemption will only apply in cases where the agent does not come into possession, or have control of, clients’ funds. Moreover, it will no longer be possible to use the same payment instrument within more than one limited network, or to acquire an unlimited range of goods and services and therefore the "limited network" exemption will now only be available to genuinely small networks.
also limits the scope of the mobile device content exemption to individual payments that do not exceed 50 euros and, on a monthly basis, transactions not exceeding 300 euros in aggregate per subscriber.

The Automated Teller Machine (ATM) exemption set out in Article 3(o) of PSD1 which was removed from the European Commission's (the Commission) original
proposal, has now been reinstated. ATM operators will be subject to obligations to provide customers with information on withdrawal charges — both prior to the transaction and on the customer's receipt — aiming to enhance transparency.

seeks to minimise divergent interpretations around the application of certain exemptions. In certain cases,
pursuant to
will have to notify competent authorities, so that an assessment can be made as to whether the requirements of an exemption have been met.

Expanding the market

creates two new types of
, commonly referred to as ‘third party payment service providers‘ (
) and attempts to strike a balance between opening up the payments market and maintaining appropriate security standards for online payments.

contains provisions requiring
Member States to ensure that all payment institutions have access to payment account services provided by banks. This is designed to prevent banks from refusing to open and maintain bank accounts for payment institutions. Although the right of a bank to reject account applications on valid grounds (such as anti-money laundering concerns) would not be affected, banks that decline to provide a bank account to another payment institution will have to explain the rejection to the regulator.

Under
, payment initiation service providers (
) are required to be authorised but are subject to a reduced minimum own funds requirement of 50,000 euros. Account information service providers (AISPs) are expressly exempt from authorisation, but are subject to a registration requirement. Both types of entity have to hold professional indemnity insurance or a comparable guarantee in order to ensure that they are able to meet liabilities arising in relation to their activities, as
aims to achieve a level of supervision commensurate with the risk such new entrants introduce into the system.
that want to provide different payment services involving holding users' funds will need to obtain full regulatory authorisation.

jargon buster:

– payment service provider

– payment service user

ASPSP – account servicing payment service provider, usually being the bank of the payer or the payee in the context of payment transactions made via online banking

PISP – payment initiation service provider providing a software "bridge" between a payer and the
of the payer so as to facilitate online payments by initiating an order at the request of the payer

AISP – account information service provider providing
with aggregated online information for multiple payment accounts held with multiple
and accessed via the online systems of those

– third party payment service provider (i.e. a PISP and/or an AISP)

Payment initiation services

operate at the heart of online banking transactions, providing the interface through which customers access their online account and transmitting the requisite data to effect a payment. In the case of a PISP issuing card based payment instruments, the PISP acts as a facilitator that enables the transmission of funds, by confirming that the payer has sufficient funds in its account to execute a transaction.
clarifies that a PISP will not receive or handle customer funds at any stage and will not provide a statement of account balance. Following extensive debate in respect of security and data protection issues, the role of
has been confined to giving a 'yes' or 'no' answer as to whether the payer has sufficient funds in its account to complete a transaction.
sets out various conditions that must be met before a PISP can offer its services (e.g. the payer must give its explicit consent to the account servicing payment service provider (ASPSP) to respond to requests from a specific PISP prior to the first request for confirmation being made) and imposes obligations on
(such as making sure that they authenticate themselves and communicate securely with the ASPSP for each confirmation request made by a payer). After debate during the
legislative process, the final
text prohibits
from obliging
to enter into contracts with them prior to the provision of the service.

Account information services

AISPs provide
with aggregated online information for multiple payment accounts held with different
(which are accessible through the online systems of those
). In light of the fact that such entities require access to those payment accounts to provide their services,
requires
to respond to data requests from AISPs in a non-discriminatory manner and gives
the right to make use of account information services. The final
text stipulates that the provision of account information services shall not be made dependent on the existence of a contractual relationship between the ASPSP and the AISP.

Generally, the provisions and approach relating to AISPs are similar to those that apply to
.

Moving towards strong customer authentication

places great emphasis on the security of electronic payments and introduces and defines the concept of "strong customer authentication", which will be further refined by the European Banking Authority (
) and the European Central Bank (ECB) in guidance and regulatory technical standards.
have to apply strong customer authentication where a
accesses its online account or initiates an electronic payment transaction.

The
guidelines on the security of internet payments (guidelines), using PSD1 as the legal basis, were published on 19 December 2014 (see ‘related links’ below). These should be implemented by
by 1 August 2015, and the
has stated that it intends to publish more stringent requirements as required under
once that has come into effect. The guidelines include an enhanced version of customer authentication for all electronic payment transactions and place various obligations on
to carry out risk assessments and to monitor security incidents. The authentication approach is one based on two out of the three components set out in the guidelines: something only the user knows, something only the user possesses and something the user is. It remains to be seen what the content of the updated guidelines that the
will publish pursuant to
will be and it is expected that a similar ’comply or explain’ approach will be followed.

Reducing the liability burden?

The publication of the original
Commission proposal in the summer of 2013 rang alarm bells among stakeholders: the attempt of the draftsmen to reallocate the liability burden to cater for the introduction of
into the regulated payment services arena was considered by many as potentially giving rise to more issues than it was attempting to solve.

Under
,
are liable for unauthorised payment transactions although
may be obliged to bear losses up to 50 euros (reduced from 150 euros under PSD1) in cases of lost or stolen payment instruments.

The final
text suggests that some of the concerns raised during the legislative process have been taken on board. For example, the concept of deemed consent and the ability of a payee to indirectly give consent for a transaction that featured in the original Commission proposal have been removed. Generally, the relevant principle in the final
text is one of each relevant
taking responsibility for the respective parts of the transaction under its control. Accordingly, where a
initiates a payment transaction through a PISP, the PISP shall have the burden of proving that, within its sphere of competence, such transaction was authenticated, accurately recorded and not affected by deficiencies linked to the payment service it is in charge of. However, in the absence of a contract between a PISP and an ASPSP, and in light of the fact that in the interests of consumer protection a payer is entitled to claim a refund from the ASPSP (even where a PISP has been involved), it remains to be seen how the allocation of liability provisions will operate in practice. Again, in this respect the final text of
deals with some of the concerns that the industry had raised in response to the Commission’s original proposal, as it provides that if the PISP is liable for an unauthorised, non-executed or defectively executed transaction or a payment transaction that was executed late, it shall immediately compensate the ASPSP at its request for sums paid or losses incurred as a result of any refund. However, concerns at the possibility of widespread losses caused by a thinly capitalised PISP remain unaddressed.

Beyond

The legislators of
have tried not to lose sight of other initiatives and legislative measures and, accordingly,
refers to other
laws or concepts that are relevant to its provisions. For example, data protection issues are expressly mentioned in
, especially in the context of Directive 95/46/EC and Regulation EC No 45/2001 (see ‘related links’ below):
makes clear that
should ensure that data protection laws are complied with. The references to the Network and Information Security (cyber-security) Directive (NIS) (see ‘related links’ below) that were contained in the Commission's earlier draft proposal have now been replaced with an independent obligation under
to maintain and establish incident management procedures, to report assessments on operational and security risks to competent authorities and to engage in incident reporting.

Maria Troullinou is a Senior Associate in the financial regulation group at Clifford Chance in London (maria.troullinou@cliffordchance.com).

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.

In this article

The arrival of the new Payment Services Directive (
) in the internal market repealing the current Payment Services Directive 2007/64/EC (PSD1) has been a closely monitored development since the publication of the European Commission's (the Commission) Green Paper on Card, Internet and Mobile Payments (COM (2011) 941) in January 2012. On 2 June 2015 the final compromise text of
was released. The updated
broadens the scope of PSD1, captures a wider range of payment transactions, and also addresses some of the concerns raised during the legislative process regarding questions of liability. Payment service providers (
) will have to ensure that they comply with its provisions by the transposition date around end-2017. In this article, Maria Troullinou of Clifford Chance LLP looks at the key changes that
will introduce and at how the text has evolved since the initial Commission proposal was published in the summer of 2013.

The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.

Key Information in this Article

The arrival of the new Payment Services Directive (
) means that payment service providers (
) have to ensure that they comply with its provisions by the transposition date around end-2017.

Despite retaining the same basic structure, the reach of
is broader than its predecessor. This is because of the expansion of the territorial scope provisions and the simultaneous narrowing down of the negative scope exemptions.

In the context of online payments,
creates two new types of
: payment initiation service providers (
) and account information service providers (AISPs) and brings the provision of payment initiation services and account information services within the regulated sphere.

places great emphasis on the security of internet payments and introduces and defines the concept of "strong customer authentication".
have to apply strong customer authentication where a payment service user (
) accesses its online account or initiates an electronic payment transaction.

The amended liability regime (aimed at re-allocating the liability burden to cater for the introduction of these two new actors) and the emphasis placed on the security of internet payments in the form of upcoming guidelines, will have to be assessed by
.

An impact analysis should be carried out to determine what changes to legal documentation and operational processes will be required as a result of the new provisions.